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Amendments to the Specification 

Please replace paragraph [0009] with the following paragraph: 
[0009] Certificates often contain additional information that identifies an individual as a 
member of a particular organization and perhaps the role that they play in the organization. For 
example, the certificate may id e ntifying identify the certificate holder as being either an 
employee of a company or a customer or subcontractor or supplier of the company. The policies 
determining who is eligible to hold a certificate are therefore important if individuals and 
organizations are to rely upon this information. These policies govern the overall operation of 
the certificate authority. 

Please replace paragraph [0010] with the following paragraph: 
[0010] In other disadvantages PKI systems, a problem arises in that ID spoofing, that is, 
attempts by hackers to attack the PKI system, often occurs. Since a digital signature system is a 
mechanism for the indicating of user identities online, one form of attack by hackers is to 
commandeer the identity of a current user while a second form of attack by hackers is to generate 
a fictitious user. Unfortunately, other disadvantageous PKI systems are vulnerable to such 
attacks. 

Please replace paragraph [0021] with the following paragraph: 
[0021] FIG. 1 illustrates an exemplary architecture of a network 100 in which the Public 
Key Infrastructure (P.K.I) processes of the present invention may be practiced. However, it 
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should be understood that the present invention is not limited to the network 100 of FIG. 1 . The 
network 100 includes data entry 102, which performs a data entry function for authoritative 
database 104, which is resident on the server platform 106. A server platform 106 is referred to 
in this description, but it should be understood that the present invention is not limited to any 
particular server architecture. The server platform 106 may be, without limitation, a UNIX or 
Windows NT server. The authoritative database 104 contains information about members of the 
group or enterprise for which PKI services in accordance with the present invention are 
performed. The present invention is not limited by the structure of the group enterprise for which 
information is stored in the authoritative database 104. The authoritative database 104 
information includes, without limitation, the name, address, telephone numbers, manager's name, 
employee identification, etc., of the members of the group or enterprise. Directory 108 has the 
structure of the database but is optimized for fast look-up of information stored therein rather 
than fast data entry. The data in the directory 108 is not changed frequently but is required to be 
accessed rapidly and functions on-line as a fast phone book, containing reference information 
about the members of the group or enterprise stored in the authoritative database 104. Certificate 
authority 1 10 is off-the-shelf software executed on server platform 106, providing storage of 
certificates and related information used by the present invention as described in more detail 
hereinafter. Registration authority 1 12 is also off-the-shelf software executable on server 
platform 106 regarding registration performed by the present invention as described in more 
detail hereinafter. Key authority 1 14 is also off-the-shelf server software which is executable on 
server platform 106 for recovering keys from members of the group or enterprise as described in 
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more detail hereinafter. Windows 2000 Domain CA 116 may use certificates provided by the 
present invention for a single sign-on to the network 100 of FIG. 1. Legacy server 118 executes 
legacy application programs 120. The legacy server may be, without limitation, a main frame, 
mini-computer, workstation, or other server hosting legacy software applications that are 
designed to be run on PKI processes in accordance with the present invention. The legacy 
applications 120 are accessible on the client side by a custom client 128 such as an emulator or 
custom database Graphic User Interface (GUI). Examples of emulators are terminal emulators of 
an IBM 3270 or terminal emulators of a vt 100. Registration web page 122, which may be one or 
more pages, functions as the user interface to the network 100 of FIG. 1. Web server 124 is a 
software application which serves Web Pages, such as Web Page 122 or other HTML outputs, to 
a web browser client which may be, without limitation, Apache or a Microsoft Internet 
Information Server. Web browser 126 is resident on client platform 128 which may be any user 
computer. Web browser 126 is a client software application for browsing web pages such as but 
not limited to HTML or XML protocols or other protocols. The Web browser 126 is 
programmed to operate with PKI certificates issued by the certificate authority 110. Examples of 
web browsers which have this capability are Netscape Navigator and the Microsoft Internet 
Explorer. The token 130 is a smart card, USB (Unit e d Universal Serial Bus), or other hardware 
token capable of generating, storing, and using PKI certificates. A user 132 is a person using the 
network 100. A user 132 transitions through a number of states which include a new user, current 
user, and a former user who no longer is a member of the group or enterprise. The network 100 
is described with reference to two levels of security, but the number of the levels of security is 
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not a limitation of the present invention, with each level corresponding to a different security 
requirement. The level 1 search engine 134 is a search engine which is permitted to search 
through the network 100 but is allowed access to only level 1 data, which is the lowest level of 
security and may be, without limitation, data which is freely distributable. Level 2 data may be 
considered to be proprietary. Level 2 search engine 136 is a search engine which is allowed to 
search through both level 1 and level 2 data. A level N search engine (not illustrated) is a search 
engine which is allowed to search through servers possessing data levels 1 through N. A secured 
level server with level 1 data 138 is a Web server containing only level 1 data, which is secured 
so that users must have level 1 access (at least) to access the server. A secured Web server with 
level 2 data 140 is a Web server that contains level 2 data which has been secured so that users 
must have level 2 access, with level 2 users having access to both level 1 and level 2 servers. A 
secured Web server with level N data (not illustrated) is a Web server that contains level N data 
which is accessible by a user with level N or above access. VPN Extranet 142 is a software 
application which functions as a network gateway which, as illustrated, may be either to legacy 
server 118 and legacy application 120 or to an external network such as the Internet. Personal 
revocation authority 144 is a person who is in charge of revocation of members from the network 
100. Personal registration authority 146 is a person who is in charge of registration of members 
in the network 100. Personal recovery approval 148 is a person in charge of obtaining recovery 
of certificates. A Recovery Agent 150 is a person who performs recovery of certificates and may 
only recover a certificate if the certificate has first been designated as recoverable by another 
person. Personal role approval 152 is a person who approves different role functions within the 
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network 100. A Web server administrator is in charge of various web functions in the 
network 100. 



